Xfinity Portal Code

[triptech]

Hello Guys,

Has anyone got the Xfinity portal to work i took the files and put them were it said to but its a no go and how do i set it so when people connect they automatically get directed to the portal sign in ?

[stilia.johny]

Hi there.

I am using Xfinity Portal.

https://github.com/aosmith/xfinity-pineapple

Just to declare this is not my Github, This is not my Code.

This is Aosmith's Great work!

[Captain]

I have experimented (for learning purposes) with the Xfinity Portal. Because I did this as a learning exercise, I created my own portal files by "hacking" together a cloned version of the Comcast page. This probably isn't as fancy as the one posted above, so I can't speak to the reliability of those  

In my experience the best way to get it to work is using Evil Portal AND Dnsspoof along with PineAP. Using this method has proven succesful in my at home testing. I found that bypassing the captive portal was possible without using DNSspoof.  

The newest versions of Evil Portal no longer use nodogsplash which means the process more simple.  Here is some general tips:

(These are for NANO)

1. Configure DNSspoof to point everything to 172.16.42.1 (assuming your using a pineapple) 

2. Create a new portal using the EvilPortal interface. Name it xfinity. 

3. SCP into pineapple and browse to /root/portals/xfinity

4. Place xfinity portal code in this directory. Note: for best results the primary index should be index.php

5. Activate portal and start EvilPortal - this will generate the "live" preview section. Alternatively browse to 172.16.42.1 using a web browser to see if the landing page appears  

6. SCP / SSH to /www - you should now see link files pointing to all the files you placed in the xfinity folder. Activating and deactivating moves / removes these links. 

7. Enable DNS spoof 

8. For best results using PineAP only broadcasting "xfinity" wifi, and NOT capturing SSIDs will help you get clients connected. 

 

This is is my no means a detailed write up ... But these are the loose steps I've used with success. 

[Captain]

Another quick note:

 

 you could use XAMPP to test things locally on your own system to make sure you get all your syntax and dependicies setup correctly.

 

XAMPP loads up a quick webserver that supports php for quick testing.  

[Captain]

I decided to grab a copy of the portal code posted above. One thing you may run into issues with is the use of the two subfolders (auth and index_files). In my experience EvilPortal at times will get wonky with sub directories. Sometimes it will activate them correctly (IE: move the pointers in the WWW directory), but sometimes they dont.

So, if you are using that setup, make sure you have all the needed files in /WWW AFTER you activate it via EvilPortal

If you want to bypass evilportal all together, you could SCP the contents of one of those files straight into /WWW - This will sort of break other modules that may use that directory (Portal Auth and EvilPortal) as they wont be able to move things in and out of that directory.

Again, if you want to quick test the files, load them into XAMPP and make sure they are served up correctly (I did this and can confirm they work really well . . . better than my version)

[Captain]

Ok . . . .last post on the topic for me:

I decided to jump down the rabbit hole with this project lastnight and get it working with the post code from GitHub. The issue is that the write up is a bit dated if you are using a NANO or even the newer versions of evilportal.

As best as I can tell, the only way  I could get it to work was to modify the landing page (index.html) to be a index.php page (not totally necessary, but it seems that captive portal is very specific as to where it shoots traffic and it has to be index.php) . I also had to modify all of the various pointers within the file to point to ./ instead of ./index_files and ./auth (in the .php action file). EvilPortal does its job well as long as you are working with flat file structures. Finally, I had to change the header coding as the webserver on the NANO didn't want to display it despite the fact that XAMPP displayed it perfectly.

You will still have two issues to work around:

1. If you are going to use the captiveportal option in EvilPortal, it appears that one could bypass the portal pretty easily

2. You may want to use DNSspoof as well. However, if your attached client bypassses the captiveportal and attempts a connection to a secure site (facebook.com) then they will get an error page instead of your portal page.

Perhaps I am over complicating things . . . I am by no means an expert!.  But I don't think just dumping the attached code into your evilportal directory and then activating it will work. You could workaround it by just dumping into /www but then you have to manually remove the files to "take the page down"

Anyways, that's all for me.

[ZaraByte]

Eh I dunno how any of you had any luck setting up a clone xfinity last time I tried setting one up I believe you it wouldn't let you get past the login page also I think that the DNSSpoof  wasn't working correctly I'll have try again and see if their has been any changes since the MK5 which was the last time I tried setting one up I wanted to do a video demonstrating how hackers could do something like this so people could be better aware. 

[Captain]

1 hour ago, ZaraByte said:

Eh I dunno how any of you had any luck setting up a clone xfinity last time I tried setting one up I believe you it wouldn't let you get past the login page also I think that the DNSSpoof  wasn't working correctly I'll have try again and see if their has been any changes since the MK5 which was the last time I tried setting one up I wanted to do a video demonstrating how hackers could do something like this so people could be better aware. 

Maybe I can make a more detailed write up for it sometime soon. There was a bit of coding I had to change  

You are right in that the current version won't actually move you past the login screen. It simply asks you to re-enter your info.  I can also only get it to work while also using DNSspoof. In fact, I don't even activate the captive portal option in evil portal. I simply activate the portal profile to allow it to move the files into www, and use DNSSPOOF to redirect the traffic. If I wanted to spend more time on the project I'd bet you could get it to redirect  

The only issue with this is if the client has already previously bypassed and had an active internet connection on that SSID, then you won't hit the captive portal at first association. This means only http traffic will be redirected. So if a client connects, goes to an https address, gets the connection error, it would be sort of armed flag to them  

At any rate, I have yet to test it in the wild, and likely won't. I have only tested it with my personal lab and with friends. 

[ZaraByte]

I did test this out about an hour ago appears to work better then it did before maybe for a few reasons the phone I'm using or maybe because the features in the NANO now are better then they were on the MK5.

But as said above I did notice that after entering the user name and password and submitting it redirects back to the sign in again.

Also as stated it appears you can bypass this by simply opening a browser on the device and browsing like normal.

On the phone I tested was a iPhone 4s once you connect to the fake AP it loads the xfinity page but I'm not 100% sure and haven't tested this with any other device yet to see if it will send you to the login after connecting or not.

But I do agree this should only be used for testing and not used for stealing Comcast accounts as that does break US laws.

I wanna mention I did have to replace the $authtarget and replace it with the folder of which the login-page-option was in.

then I replaced the code in the splash.html with the code in the index.php for the xfinity portal that was made.

Edited June 3, 2016 by ZaraByte

[Captain]

9 hours ago, ZaraByte said:

I did test this out about an hour ago appears to work better then it did before maybe for a few reasons the phone I'm using or maybe because the features in the NANO now are better then they were on the MK5.

But as said above I did notice that after entering the user name and password and submitting it redirects back to the sign in again.

Also as stated it appears you can bypass this by simply opening a browser on the device and browsing like normal.

On the phone I tested was a iPhone 4s once you connect to the fake AP it loads the xfinity page but I'm not 100% sure and haven't tested this with any other device yet to see if it will send you to the login after connecting or not.

But I do agree this should only be used for testing and not used for stealing Comcast accounts as that does break US laws.

I wanna mention I did have to replace the $authtarget and replace it with the folder of which the login-page-option was in.

then I replaced the code in the splash.html with the code in the index.php for the xfinity portal that was made.

Yeah if you dig into the code, you can see that it purposely directs you back. Its a never ending loop in an attempt to get as many different passwords as possible.  If you were trying to be more covert, you would have to add logic that allows the user to pass. The biggest issue with this is that, in order to pass, that means you also have to serve up an uplink to the internet. Not a problem, generally speaking. However, DNSspoof doesnt seem to work if you are also serving up an active internet pipe.

So, its sort of a catch 22

I am sure there are better ways toimplement it, but this is the best I've found: Serve it up using EvilPortal coupled with DNSspoof

Again, I am not out trying to make it more covert or even easier to use. I have used it mostly as a demo to friends that often use xfinitywifi - I have scared them enough that they just turn wifi off when they leave the house! ha

 

[b0N3z]

I did the same thing with a FB landing page and noticed that no matter what I did, it would always keep me at that login page and the login button would not redirect to FB.  I tryed changing the code for the Login Button to redirect it, but nothing I did worked. I looked all over and tryed a bunch of different things but couldn't find a fix.

[newbi3]

When you user submits the login form you should make an ajax request back to the server to store the data and then give them a message on the page that says "wrong username or password" and then have them enter it again and then send that back to the server to write it to a file and if they are the same username and password as previously entered then authorize them otherwise have them enter the username and password again. Its only a good 20 lines of a code.

[Captain]

37 minutes ago, newbi3 said:

When you user submits the login form you should make an ajax request back to the server to store the data and then give them a message on the page that says "wrong username or password" and then have them enter it again and then send that back to the server to write it to a file and if they are the same username and password as previously entered then authorize them otherwise have them enter the username and password again. Its only a good 20 lines of a code.

Oh for sure. I think the real answer here is how tricky do you want to be?   I got this working more as an experiment and a scare tactic for some friends.